The prevention of fraud and money-laundering are amongst the main objectives of Member States regarding public order. In principle, all existing national gambling regulations seek to prevent and tackle gambling fraud in order to protect consumers as well as gambling operators. Different types of fraudulent behaviour may occur in the online gambling environment but among them identity theft seems to be the most frequently committed crime.
Identity theft may be defined as the misuse of personal data in order to impersonate another individual with the intent to commit an illegal activity (e.g. abusing the victim’s banking or other facilities, unduly gaining employment or receive medical treatment). In the context of online gambling, identity theft aims at opening a player’s account falsely and is very often linked with unauthorised use of credit cards in order to obtain a credit and other benefits in another person’s name.
Another common fraudulent behaviour identified by stakeholders is the so called chargeback fraud. This occurs when an individual claims that a transaction is fraudulent and the credit card issuer then debits the money from the merchant’s account. This facility is designed to protect consumers from fraudulent use of their credit card, but can also be used to try to get back any losses they may have occurred while gambling. It is suggested that a significant number of these claims are fraudulent. When it comes to cyber-attacks against gambling operators’ infrastructure, their frequency and risk is not considered higher than in any other industry sector.
As for money laundering, there is currently very limited information or evidence suggesting that licensed online gambling operators in Europe are subject to money laundering activities. The prevailing problem is linked to unregulated operators who are offering their services at a distance from outside of the EU with either no or a very low degree of regulation and supervision.
The fact that regulated gambling operators are subject to strict antifraud and anti-money laundering provisions, which stem either from licensing conditions including certification of gambling equipment or internal risk assessment procedures, does not, however, mean that no problematic issues arise, in light of the cross border context. It seems that structured cooperation between national gambling authorities, national police and international enforcement authorities needs to be enhanced given the complexity of fraudulent transactions operators and regulators have to face. In a number of jurisdictions either no online gambling regulations exist or there are weak regulations and the lack of cooperation at the international level, including with authorities such as Interpol, gives rise to problems in the cross-border application and enforcement of existing tools, such as customer verification checks, transactions and audit trail integrity.
Commission initiative on identity theft
The Commission has been addressing identity theft for several years, both with legislative measures and with other initiatives. In 1995 a Directive on the protection of individuals with regard to the processing of personal data was adopted (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). The Directive laid down rules for the legitimacy and the confidentiality and security of data processing. The EU Action Plans 2001-2003 and 2004-2007 on fraud on non-cash means of payment developed public/private cooperation between the financial sector, law enforcement agencies, other Ministries, retailers and consumer groups (Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee, the European Central Bank and Europol of 20 October 2004 – A new EU Action Plan 2004- 2007 to prevent fraud on non-cash means of payment [COM(2004) 679 final – Official Journal C 49 of 28.6.2006].).
The need to more effectively combat identity theft on a transnational level has been recognized in the EU policy framework on several occasions, such as for example in the 2009 Stockholm Programme (The Stockholm Programme: An open and secure Europe serving the citizen, is a five-year plan with guidelines for justice and home affairs of the member states of the European Union for the years 2010 through 2014.) and in the 2010 Council Conclusions on Preventing and Combating Identity-Related Crimes and on Identity Management. (Council conclusions on preventing and combating identity related crimes and on identity management, including the establishment and development of permanent structured cooperation between the Member States of the European Union, adopted on 2 and 3 December 2010) The Commission also carried out a study on the status quo of the legal framework governing identity theft in the Member States, which resulted in a 2011 report on the “Comparative Study on Legislative and Non- Legislative Measures to Combat Identity Theft and Identity-Related Crime”. As a follow up to this report, the Commission has launched an external study for an impact assessment to explore what is needed to tackle the issue of identity theft effectively. Subject to the results of the study and the Commission impact assessment, such provisions may include a common definition of identity theft, the establishment of identity theft as a criminal offence, measures to protect the victims of identity theft, and an obligation to establish national reporting mechanisms that would also allow a follow-up of complaints.
In this context, the possibility of mandating the European Cybercrime Centre (Communication from the Commission to the Council and the European Parliament of 28 March 2012 Tackling Crime in our Digital Age: Establishing a European Cybercrime Centre COM(2012) 140 final, Council Conclusions of 4 June 2012 on the establishment of a European Cybercrime Centre) to cover other forms of cybercrime than those related to identity theft such as hacking into on-line gambling systems, will be explored. The European Cybercrime Centre, which will be established within Europol in the beginning of 2013, will strengthen the EU’s capacity to tackle cybercrime and could contribute to addressing other forms of cybercrime. It should, amongst other, help the fight against online identity theft by tackling organized crime groups involved in online fraud through stolen credit cards and banking credentials. The Centre should act as the focal point in the fight against cybercrime in the EU, having four core functions
- it should serve as the European cybercrime information focal point,
• it should pool European cybercrime expertise to support Member States,
• it should provide support to Member States’ cybercrime investigations,
• it should become the collective voice of European cybercrime investigators across law enforcement and the judiciary.
The EU Anti-Money Laundering Directive
The Green Paper consultation has confirmed that the following practices are being used for money laundering purposes:
- Online gambling firms credit winnings or unused funds back to an account other than the one from which the original bet was made,
• Players are allowed to register multiple accounts with the same operator,
• Peer-to-peer games such as e-poker, where value transfers can occur between both electronic and human players as a result of deliberate losses, at a relatively low cost to the players. Players will make large bets on very bad hands (expecting to lose to the accomplice),
• Use of e-cash as a payment option or similar means of payments such as Stored Value Cards (those of concern are characterised by high limits, no post-purchase monitoring and poor KYC controls).
As regard the EU legislative framework, the AMLD (Directive 2005/60/EC)) applies to casinos with regard to gambling activities. The term ‘casinos’ is not defined in the Directive. In addition to the general aspects caught by the Directive as described above in section 4.1, the Green Paper consultation shows that regulated online gambling operators and national regulators have established a range of operational practices to fight against money laundering. These include:
- Customer due diligence tools aimed at verifying the player’s identity, the player’s place of residence and, the player’s valid e-mail address. The due diligence process may include velocity analysis (deposit/trades), geographic risk analysis, player behaviour anomaly, exposing player associations and cybercrime arrest policy. In all cases the player has to opt-in to provide the relevant personal data to allow for his account to be established,.
- Payment controls whereby the player should always receive any pay out from winnings by the same means in which the money was originally received (and to the account from which it was deposited). Operators also carry out controls over the credit card numbers and personal data, relating to players, which they have stored in their systems. Moreover, direct payments between customers are often prohibited. With regard to the use of means of payment (e.g. credit cards, pay safe cards) for online gambling, it is suggested that these could pose different risks in terms of fraud and money laundering. Some may be subject to identity thefts whilst others, due to their anonymity, could be abused for money laundering operations. Operators deal with the different fraud/money laundering risks within the due diligence checks carried out on customers, taking account of the degree of regulation of the different payment systems and anti-money laundering controls already applicable to the financial sector.
- Operational controls whereby operators use age verification lists and lists used by banks to identify terrorists and politically exposed persons (PEPs), i.e. World Check and the European Sports Security Association’s (ESSA ) watch list. Operators also keep statistical records of transactional behaviour, which must comply with EU data protection rules, in order to be able to identify suspicious activities. They are required to apply stricter due diligence requirements where there are high limits on stakes. Operators must also submit Suspicious Activity Reports (SAR) to the national Financial Intelligence Units (FIU).
There is a broad demand to extend the scope of application of the AMLD to all types of games of chance. This general support for a broader definition of gambling under the AMLD is based on a number of reasons. Namely, to create a level playing field for all gambling operators since the cost of compliance would give entities that are not covered an “unfair” economic advantage, and to remove market access obstacles arising from the application of different national anti-money laundering regulations in the field of gambling.
The Directive is currently under review and the Commission services have been seeking views from stakeholders about how the Directive is applied, and what possible changes could be introduced when the Directive is revised. The process of revision of the AMLD will not be confined to a straight implementation of the new FATF international standards. The Commission is conducting its own review process to assess the need for change to EU rules beyond simply taking on board the new FATF standards. The Commission will reflect on how broad the definition of gambling should be, and how could proportionality be assured (for example, ensuring that bars and social establishments that include one or two slot machines would not fall under the AMLD rules).
Certification of gambling equipment
Certification of gambling equipment is another instrument used in the gambling sector in order to prevent fraud. Certification of online gambling software is commonly required by Member State’s competent authorities within the process of gambling licence application. To that end accredited testing agencies, specialising in the certification of online gambling software and systems are being entrusted.
In this context, there is a strong call by gambling operators for more approximation of technical standards so that re-testing and certification of equipment, with the associated costs, is not required. The Commission services indeed believe that in order to ensure a comparable level of security of online gambling in the EU as well as to reduce the administrative burden relating to different national certification procedures, it would be useful to explore the possibility of introducing an EU standard on gaming equipment certification. The main added value of European standardisation is facilitation of free movement of goods and services.
Standards normally increase competition and lower output and sales costs, benefiting economies as a whole. In addition standards may maintain and enhance quality, provide information and ensure interoperability and compatibility, thereby increasing value for consumers. European standards are adopted by CEN, the European Committee for Electrotechnical Standardisation (CENELEC) or the European Telecommunications Standards Institute (ETSI).
© European Union